This is the most detailed story I found on how they tracked down the creator of Melissa. In addition to the info on how they used the MSFT watermarks, this details how the FBI is also after a hosting company and a small ISP. Even the "Defense Department-sponsored Computer Emergency Response Team at Carnegie Mellon University" got involved. Some incredibly Orwellian stuff in this article, it's a real classic.
We apparently have many govt agencies and their helpers crawling over themselves to take credit for figuring this out.
Oops, I think that last sentence just kicked off the program that creates an FBI file...
-------------------------
Melissa suspect arrested in New Jersey
By Stephen Shankland
Staff Writer, CNET News.com
April 2, 1999, 12:50 p.m. PT
A New Jersey man, David L. Smith, was arrested by federal and state officials yesterday and charged with disseminating the Melissa virus that began spreading across the Internet March 26.
Smith, 30, a resident of Aberdeen Township, New Jersey, was arrested last night at the home of his brother in Eatontown, New Jersey, said Paul Loriquet, a spokesman for New Jersey Attorney General Peter Verniero. Smith was tracked down with the help of America Online and by tracing phone calls, Loriquet said.
Smith was charged with interrupting public communication, conspiracy to commit the offense, and the attempt to commit the offense. In addition, he was charged with two lesser offenses: theft of computer service and wrongful access to computer systems.
The FBI still is investigating whether to file federal charges, said spokeswoman Debby Weierman.
Smith did not immediately return a telephone message left on his answering machine.
If convicted on the state charges, Smith faces a maximum of 40 years in prison and fines of $480,000. An arraignment has not yet been scheduled, and Smith has yet to retain an attorney, Loriquet said.
Smith was released this morning on two $50,000 cash bonds, Loriquet said.
The New Jersey Attorney General's office said initial information leading to Smith's arrest came from America Online.
AOL wouldn't comment on how it helped with the investigation other than to say it cooperated fully with the FBI and New Jersey state law enforcement officials, said spokeswoman Kim McCreery. McCreery declined to say what data AOL keeps on its members or what information it provided to investigators.
AOL had traced information that led to a bulletin board, and from there to email list servers, Loriquet said. That information led to the search warrants, the resulting phone line traces, and the arrest of Smith, he said.
Whether federal charges are filed depends on whether the virus violated federal laws that forbid "the transmission of a program, information, code, or command" that "intentionally causes damage, without authorization, to a protected computer," said John Russell of the Justice Department. A violation of that provision could result in up to ten years in prison and a $250,000 fine, he said.
The Melissa virus was introduced on an "alt.sex" newsgroup early last Friday morning using the AOL account of Scott Steinmetz, whose username was "skyroket." Steinmetz, a civil engineer in Lynnwood, Washington, told CNET News.com earlier this week that he had nothing to do with writing or introducing the virus.
The virus uses a combination of Microsoft's Outlook and Word programs to spread, taking advantage of users' email address book entries to gain the appearance of coming from a known person.
The arrest was made by law enforcement officials from the state division of criminal justice, the New Jersey state police, the FBI, and Monmouth County, Loriquet said.
Meanwhile, the FBI also confiscated a computer from Internet service provider Access Orlando in Orlando, Florida, and investigated a small Internet company in northeast Tennessee.
Access Orlando is the small Internet service provider that leased its lines to the owner of the computer seized by the FBI. A Web site on the computer, Source of Kaos, hosted space to "VicodinES," the online name of a person or persons suspected of authoring the virus, according to Access project manager Ron Spohn.
VicodinES "was a client who had a personal Web site and posted what he wanted to post,'' Sibert said. Some of those postings were about the creation of computer viruses, he said.
"I gave my permission for the FBI to take the computer, but I really didn't have much choice," said Roger Sibert, who owns the computer and administered the Source of Kaos Web site.
Sibert, 33, of Winter Park, Florida, said his Web site is devoted to "unpopular freedom of speech issues like 'I hate Microsoft' and freedom of choice."
The computer's contents will be examined once a search order is issued, said Sibert, who has retained the services of an attorney. "I plan to cooperate," he said.
Sibert said he doesn't agree with the person who wrote the Melissa virus. He said he also was contacted by the New York attorney general's office.
The FBI also contacted Global Connection, a small Internet service provider in Kingsport, Tennessee, whose computers hosted the Web site Codebreakers.org, according to Dennis Halsey, 36, chief executive of Global Connection. That site contained computer virus information and may have helped spread the Melissa virus, Halsey said.
A few days ago, a Silicon Valley company and another person contacted Halsey by email, saying they got the Melissa virus and tracked it to the Codebreakers Web site.
The Defense Department-sponsored Computer Emergency Response Team at Carnegie Mellon University also found digital tracks leading to the site, Halsey said.
"We shut down the Web site on Monday. We don't like viruses any more than anybody," Halsey said.
The Codebreakers Web site was put together by his business partner and a friend of the partner, Halsey said. That friend, he said, "is apparently in a large, international virus organization."
Halsey said he talked to a local FBI agent by telephone this morning and to local police detectives. He said they indicated they will want to see his company's records.
Global Connection was started about eight months ago and has about 1,000 subscribers. Halsey said he and his partner might have been naive about the Codebreakers site and its contents. "We are just a link in this massive chain of events," Halsey said.
Richard Smith, president of Phar Lap Software in Cambridge, Massachusetts, helped trace the virus to two possible authors, VicodenES and Alt-F11, who had posted viruses on the Codebreakers and Source of Kaos Web sites.
Smith fingered the authors using a unique identifier that Microsoft Word saves in documents, including the document used to launch Melissa. That identifier is based on a unique number that comes with a computer's network card, or that Word creates on its own if no network card is present.
Privacy advocates have criticized the features, and Microsoft has posted software that let people turn off the feature or wipe those traces out of their Word files.
When Smith found the number and asked for help, Frederik Bjorck of Sweden found virus files on some Web sites, including Source of Kaos, that matched the identifier. |
